question

nithyaswaminathan-2639 avatar image
0 Votes"
nithyaswaminathan-2639 asked shekhag24 answered

Mounting an Encrypted Data disk (Encrypted with ADE) to another VM from another VM that is being deallocated - Workflow - Clarification requested

Here is a workflow:
1. I have a VM with 2 disks - One is a OS disk and one is a Data Disk (Persistent Disk)
2. I mount the Data disk to the VM and i use ADE Encryption on it using AzureDisEncryptionForLinux VM extension. The key is stored in Azure Keyvault.
3. Later the VM is being replaced by another VM. THe disk is unmounted from the old vm so it is now trying to be attached to the new VM. However It fails to be mounted because it is a LUKS file type.

My question is do we have to decrypt the disk before detaching from the old VM and mounting ot the new VM or is there a way to mount an already encrypted disk (done via ADE and key in Keyvault) to an new VM ?

Thanks




azure-disk-encryption
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@nithyaswaminathan-2639
Thanks for your post! From my experience, you shouldn't have to decrypt the data disk before attaching it to the new VM. However, I've reach out to our Linux ADE experts and will update you as soon as I receive guidance from their end.

Thank you for your time and patience.

0 Votes 0 ·

Thank you very much. I see that you have tagged the wrong nithya .. my name is nithyaswaminathan-2639 . I look forward to hearing from you.

Thanks

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered SumanthMarigowda-MSFT commented

@nithyaswaminathan-2639
Thank you for your patience! If you're attaching an encrypted data disk to an unencrypted VM, you can try to set the same encryption settings on the second VM as you did the original VM.


For example A backup is recommended prior to performing any encryption steps on your VM.
VM1:
az vm encryption enable --resource-group "VM1-RG" --name "VM-1" --disk-encryption-keyvault "ADEvault" --volume-type "All"

VM2:
az vm encryption enable --resource-group "VM2-RG" --name "VM-2" --disk-encryption-keyvault "ADEvault" --volume-type "All"


Note:
Our Linux AD SMEs let us know that you might run into issues when doing this since this process for Linux VMs is not supported. However, if you have a backup you should be able to revert back to the last known "good" state.


If you have any other questions, please let me know.
Thank you!

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@nithyaswaminathan-2639
I just wanted to check in and see if you required additional assistance or if you were able to resolve this issue?

0 Votes 0 ·

@nithyaswaminathan-2639 Just checking in to see if the above answer helped. If this answers your query, please don’t forget to "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·
nithyaswaminathan-2639 avatar image
0 Votes"
nithyaswaminathan-2639 answered JamesTran-MSFT converted comment to answer

"Our Linux AD SMEs let us know that you might run into issues when doing this since this process for Linux VMs is not supported"

@JamesTran-MSFT I did not understand this information that it is not supported for Linux. Are you saying it will work only for Windows VMs?

I will try your options.. but can you help me understand what you meant by the above statement.

Thanks

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@nithyaswaminathan-2639

The process of:
1)Encrypting a VM with a data disk (volumeType All)
2)Moving that encrypted data disk to a new unencrypted VM
3)Encrypting that new VM with the same encryption settings as the original VM - is currently only supported for Windows VMs.

From what I was told, the reason it's not supported is because on Linux, you have to manually modify /etc/fstab and /etc/crypttab and manually open the drive in cryptsetup luksOpen, just by attaching the disk to the VM is not enough to get it to work. However, on a Windows VM, all you have to do is attach the data disk, assign it a drive letter, and re-run the sequence version encryption script.

I hope this helps to clarify why the process isn't supported.


If you have any other questions or would like to work closer with our support engineers on this process, please let me know.
Thank you for your time and patience.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JamesTran-MSFT
thank you for the detailed explanation. A note.. i am not encrypting both the OS and the Data disks. I am only encrypting a data disk (a managed storage disk) - VolumeType - DATA. I am encrypting that storage disk (DATA) in the 1st VM. In case the first VM is not responsive.. i am creating a new VM and I am trying to move this storage disk and attach it to the new VM . The OS in both VMs is not encrypted.

So does the same issue exist for Data Disks ? In the 2nd VM , will we still have to manually modify the /etc/fstab and the /etc/crypttab files Or will the ADEDiskEncryptionForlinux Extension that we are using help automount the disks ?


0 Votes 0 ·
JamesTran-MSFT avatar image JamesTran-MSFT nithyaswaminathan-2639 ·

@nithyaswaminathan-2639
Thanks for the clarification. Yes, the same issue would exist with both VolumeType -Data or -All, since you're going to be dealing with an encrypted Data Disk in both scenarios.

If you have any other questions, please let me know.
Thank you!

0 Votes 0 ·
nithyaswaminathan-2639 avatar image
0 Votes"
nithyaswaminathan-2639 answered nithyaswaminathan-2639 commented

@JamesTran-MSFT - Thank you very much for your clarifications and answers around support for ADE Encryption in Linux VMs.

I would like to take this opportunity to provide feedback regarding the ADE encryption feature in Linux VMs. In cloud computing , VMs can be replaced at any time and the ADE Encryption for disks needs to be idempotent.. that is wherever the disk is being moved , the ADE encryption for Linux extension should take care to mount LUKS disks to the new VM and abstract that away from the users. There is no point in having encryption on a disk that has data and if the VM that hosts the disks has issues, the disk has to be manually attached by the user and opened. This logic has to be taken care by the extension.

In addition, I would like to appreciate you James for prompt response to my questions. That is excellent customer service. Thanks so much

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@nithyaswaminathan-2639
Thank you for the kind comments and feedback request.

I went ahead and created a feature request for you using what you mentioned above, feel free to add additional comments. Additionally, I have reached out to our Linux ADE SME with this info so that he can hopefully pass this feature request to our ADE PG team.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue!

Feature Request

1 Vote 1 ·

Thank you @JamesTran-MSFT for creating this feature request!

0 Votes 0 ·
shekhag24 avatar image
0 Votes"
shekhag24 answered

@JamesTran-MSFT - Could you please share if the requested feature is available for Linux? Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.